1*04af249aSchristos# $NetBSD: named.conf,v 1.11 2024/03/07 14:21:03 christos Exp $ 2f851540aStron 3f851540aStron# boot file for secondary name server 4f851540aStron# Note that there should be one primary entry for each SOA record. 59f57c06dSchristos# If you cannot get DNSSEC to work, and you see the following message: 69f57c06dSchristos# DNSKEY: verify failed due to bad signature (keyid=19036): \ 79f57c06dSchristos# RRSIG validity period has not begun 89f57c06dSchristos# Fix your clock. You can comment out the dnssec entries temporarily to 99f57c06dSchristos# get to an ntp server. 10f851540aStron 11f851540aStronoptions { 12f851540aStron directory "/etc/namedb"; 139f57c06dSchristos dnssec-validation auto; 14a5fe3c0dSchristos managed-keys-directory "keys"; 159f57c06dSchristos bindkeys-file "bind.keys"; 16682cc4ceSitojun allow-recursion { localhost; localnets; }; 17db7cb834Sjnemeth max-udp-size 1220; 18dcf9d0d4Sjnemeth edns-udp-size 1220; 197c82bc00Sdholland 207c82bc00Sdholland # 217c82bc00Sdholland # This forces all queries to come from port 53; might be 227c82bc00Sdholland # needed for firewall traversals but should be avoided if 237c82bc00Sdholland # at all possible because of the risk of spoofing attacks. 247c82bc00Sdholland # 257c82bc00Sdholland #query-source address * port 53; 26f851540aStron}; 27f851540aStron 28f851540aStronzone "." { 29f851540aStron type hint; 30f851540aStron file "root.cache"; 31f851540aStron}; 32f851540aStron 33f851540aStronzone "localhost" { 34f851540aStron type master; 35f851540aStron file "localhost"; 36f851540aStron}; 37f851540aStron 38f851540aStronzone "127.IN-ADDR.ARPA" { 39f851540aStron type master; 40f851540aStron file "127"; 41f851540aStron}; 42f851540aStron 43f851540aStronzone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" { 44f851540aStron type master; 45f851540aStron file "loopback.v6"; 46f851540aStron}; 47f851540aStron 48f851540aStron# example secondary server config: 49f851540aStron# 50f851540aStron# zone "Berkeley.EDU" { 51f851540aStron# type slave; 52f851540aStron# file "berkeley.edu.cache"; 53f851540aStron# masters { 54f851540aStron# 128.32.130.11; 55f851540aStron# 128.32.133.1; 56f851540aStron# }; 57f851540aStron# }; 58f851540aStron 59f851540aStron# zone "32.128.IN-ADDR.ARPA" { 60f851540aStron# type slave; 61f851540aStron# file "128.32.cache"; 62f851540aStron# masters { 63f851540aStron# 128.32.130.11; 64f851540aStron# 128.32.133.1; 65f851540aStron# }; 66f851540aStron# }; 67f851540aStron 68f851540aStron# example primary server config: 69f851540aStron# 70f851540aStron# zone "Berkeley.EDU" { 71f851540aStron# type master; 72f851540aStron# file "berkeley.edu"; 73f851540aStron# }; 74f851540aStron 75f851540aStron# zone "32.128.IN-ADDR.ARPA" { 76f851540aStron# type master; 77f851540aStron# file "128.32"; 78f851540aStron# }; 79